It’s a common thing to have more than one Domain Controller on a domain. Every usual DC will have full writing potential in the directory. However, some tasks are more sensitive than others and it would be risky to authorize the modification of certain data at the same time.
This is where FSMO roles come in handy. They allow to split the tasks of a DC in 5 separate roles which together represent the full AD structure.
The 5 FSMO roles:
- Schema Master – forest wide
- Domain Naming Master – forest wide
- Relative ID(RID) Master – domain wide
- Primary Domain Controller(PDC) Emulator – domain wide
- Infrastructure Master – domain wide
The Schema Master defines all the attributes that you can put to an object in an AD database such as :
- Phone number
- Login ID
- Email Address
Domain Naming Master
This is the master of the domain names. It makes sure that we don’t create other domains with the same name as another in the same forest. Since this is not a huge task, it can easily be assumed by a DC that has another role.
THE RID Master assigns blocks of SID to different DCs they can use for newly created objects. Each object in AD has an SID. The RID Master grants each DC the privilege of assigning certain SIDs to prevent multiple objects from having the same one.
The DC assuming this role will be the authoritative DC in the domain. The PDC Emulator manages GPOs(Group Policy Objects), responds to authentication requests, changes passwords and manages time/date for the entire domain.
Translates Globally Unique Identifiers(GUID), SIDs and Distinguished Names(DN) between domains. If we have multuple domains in our forest, the Infrastructure Master takes care to create references for objects created such as users.